Information Security Standards
Dan Constantin Tofan
Academy of Economic Studies Bucharest Romana Square, district 1, Bucharest 010374,ROMANIAtofandan@yahoo.com
The use of standards is unanimously accepted and gives the possibility of comparing a personalsecurity system with a given frame of reference adopted at an international level. A good example is the ISO9000 set of standards regarding the quality management system, which is a common reference regardless of theindustry in which a certain company activates. Just like quality control standards for other industrial processessuch as manufacturing and customer service, information security standards demonstrate in a methodical andcertifiable manner that an organization conforms to industry best practices and procedures. This article offers a
review of the world’s most used information security standards.
Information Security Standards, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 17799, COBIT, NIST SP-800 series, Federal Office for Information Security (BSI), ISF
Standard of good practice for InformationSecurity.
1. What is an informationsecurity standard?
Generally speaking a standard, whether itis an accountability standard, a technicalstandard or an information securitystandard, it represents a set of requirements that a product or a systemmust achieve. Assuming the conformity of a product or system with a certainstandard demonstrates that it fulfills all the
There are currently some primarystandards in place governing informationsecurity.First of them is the ISO/IEC 27000 seriesof standards. It is the most recognizablestandard as it bears the internationallyprestigious name of the InternationalOrganization for Standardization and theInternational Electrotechnical Commission.It was initiated by British StandardInstitute in 1995 through BS7799(Information Security ManagementSystem), and later was taken over by theISO (International Organization forStandardization) and released under thename of ISO/IEC 27000 series (ISMSFamily of Standards) and ISO/IEC
17799:2005 “Information Technology –
Code of practice for information security
management”. Secondly, there is the NIST
SP800 group of standards, published bythe National Institute of Standards andTechnology (NIST) from USA.Another information security standard isthe Information Security Forum's Standardof Good Practice for Information Security.This document also includes a descriptionof COBIT and BSI Standards 100 series.Due to the lack of space otherinternational security standards like ITILcould not be presented.
2. Why do we need aninformation security standard?
The use of standards is unanimouslyaccepted and gives the possibility of comparing a personal security system witha given frame of reference adopted at aninternational level. A good example is theISO 9000 set of standards regarding thequality management system, which is acommon reference regardless of theindustry in which a certain companyactivates.Standards ensure desirable characteristicsof products and services such as quality,safety, reliability, efficiency and